﻿
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<!-- saved from url=(0014)about:internet -->
<html xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:mssdk="winsdk" xmlns:script="urn:script" xmlns:build="urn:build" xmlns:MSHelp="http://msdn.microsoft.com/mshelp">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<meta name="Description" content="Choosing Network Security Credentials"/>
<meta name="MSHAttr" content="PreferredSiteName:MSDN"/>
<meta name="MSHAttr" content="PreferredLib:/library/windows/hardware"/>
<title>Choosing Network Security Credentials</title>

<meta name="MS-HAID" content="r09_symbols_6523e42e-b81c-4372-afb4-889ea40ed799.xml"/>


<link rel="STYLESHEET" type="text/css" HREF="../common/backsdk4.css"/>





<style>
html,div { margin: 0; padding: 0;}

body {
	padding: 0px;
	margin: 0px;
	overflow: auto;
	height: 100%;
}

#winchm_template_button{
	float: right;
	width: 93px;
	top: 7px;
	position: relative;
	text-align: right;
	right: 5px;
	height: auto;
}

#winchm_template_top{
	padding: 0px;
	margin: 0px;
	border-bottom: 1px solid #9B9B9B;
	background-color: #B1CEFE;
}

#winchm_template_navigation{
	margin: 0px;
	padding-top: 7px;
	padding-left: 7px;
	padding-bottom: 3px;
	padding-right: 0px;
	font-size: 8.5pt;
	font-family: Arial, Helvetica, sans-serif;
	font-weight: normal;
	color: #585858;
}

#winchm_template_title{
	margin: 0px;
	padding-top: 4px;
	padding-left: 7px;
	padding-bottom: 7px;
	padding-right: 0px;
	font-size: 18px; 
	font-family: Verdana, Geneva, sans-serif;
	color: #363636;
}

#winchm_template_content{
	margin-top: 20px;
	margin-left: 15px;
	margin-bottom: 20px;
	margin-right: 15px;
	width: auto  !important;
	width: 100%;
}

#winchm_template_footer{
	border-width: 1px;
	border-color: #B1CEFE;
	border-top-style: solid;
	margin-top: 15px;
	margin-left: 15px;
	margin-bottom: 20px;
	margin-right: 15px;
	padding-top: 7px;
	padding-left: 0px;
	padding-bottom: 0px;
	padding-right: 0px;
	font-family: arial, helvetica, sans-serif;
	font-size: 8.5pt;
	color: #696969;
	width: auto;
	text-align: left;
}


#winchm_template_container{
	margin: 0px;
	padding: 0px;
	position: static;
	padding-bottom: 3px;
	overflow: auto;
	background-color: #FFFFFF;
}


@media print
{
#winchm_template_container{
	position: static;	
	margin: 0px;
	padding: 5px;
	
	width: auto;
	height: auto;
	overflow: auto;
}
#winchm_template_button{
visibility:hidden;
}
}

#winchm_template_navigation A:link	{text-decoration: none; color:#004080}
#winchm_template_navigation A:visited  {text-decoration: none; color: #004080}
#winchm_template_navigation A:active {text-decoration: none; color: #004080 }
#winchm_template_navigation A:hover {text-decoration: none;color: #0080FF}

A:link	{text-decoration: underline; color:#0033CC}
A:visited  {text-decoration: underline; color: #0033CC}
A:active {text-decoration: underline; color: #0033CC }
A:hover {text-decoration: underline;color: #FF0000;}
</style>
<script type="text/javascript">
function isMobile(){
Agent = window.navigator.userAgent;
if (Agent.indexOf("iPhone")>=1 || Agent.indexOf("iPad")>=1 || Agent.indexOf("iPod")>=1 || Agent.indexOf("Android")>=1){
return true;
}else{
return false;	
}

}
function d_onresize(){
if (window.navigator.userAgent.indexOf("MSIE")>=1){
document.getElementById('winchm_template_container').style.pixelWidth = document.body.offsetWidth - 3;
document.getElementById('winchm_template_container').style.pixelHeight = document.body.offsetHeight - document.getElementById('winchm_template_top').offsetHeight - 4;
}
document.getElementById('winchm_template_container').style.top = document.getElementById('winchm_template_top').offsetHeight + 'px';
}

function d_onbeforeprint(){
document.getElementById('winchm_template_container').style.width = 'auto';
document.getElementById('winchm_template_container').style.height = 'auto';
}

function d_onafterprint(){
d_onresize();
}

if(!isMobile()){

window.onload = d_onresize;
window.onresize = d_onresize;
window.onbeforeprint = d_onbeforeprint;
window.onafterprint = d_onafterprint;

document.write("<style>\n");
document.write("body {overflow: hidden;}\n");
document.write("#winchm_template_container {position: absolute;overflow: auto;top : 0px;right: 0px;bottom: 0px;left: 0px;}\n");
document.write("</style>\n");
}

</script>
</head>
<body><script language="JavaScript" type="text/JavaScript">
function syn(){
if(parent.nav.tree){
 if(parent.nav.tree.loaded){
  parent.nav.tree.selectNode(1513);
 }else{
  setTimeout("syn()",500);
}
  }else{
  setTimeout("syn()",500);
  }}
if(parent!=self){
  setTimeout("syn()",100);
}else{
  parent.location.href = "../../index.htm?page=debugger/choosing_network_security_credentials.htm";
}
originalOnload = window.onload;
if(originalOnload==null){
window.onload = function(){parent.contentLoaded = true;};
}else{
window.onload = function(){originalOnload();parent.contentLoaded = true;};
}
</script> 


<div id="winchm_template_top">
	<div id="winchm_template_button"><A href="configuring_the_registry.htm" title="Previous topic"><img id="winchm_template_prev" alt="Previous topic" src="../template2/btn_prev_n.gif" border="0"></a><A href="configuring_iis_for_symproxy.htm" title="Next topic"><img id="winchm_template_next" alt="Next topic" src="../template2/btn_next_n.gif" border="0"></a></div>
	<div id="winchm_template_navigation">Help &gt; 
<A href="introduction6.htm">Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)</A> &gt; <A href="symbols.htm">Symbols for Windows Debugging (WinDbg, KD, CDB, NTSD)</A> &gt; <A href="accessing_symbols_for_debugging.htm">Accessing Symbols for Debugging</A> &gt; <A href="symbol_stores_and_symbol_servers.htm">Symbol Stores and Symbol Servers</A> &gt; <A href="symproxy.htm">SymProxy</A> &gt; </div>
	<div id="winchm_template_title">Choosing Network Security Credentials</div>
</div>
<div id="winchm_template_container">
	<div id="winchm_template_content"><div id="mainSection"><p>The symbol proxy server must run from a security context with the appropriate privileges for access to the symbol stores that you plan to use.  If you obtain symbols from an external Web store such as https://msdl.microsoft.com/download/symbols, the symbol proxy server must access the Web from outside of any firewalls.  If you obtain files from other computers on your network, the symbol proxy server must have appropriate privileges to read files from those locations.  Two possible choices are to set the symbol proxy server to authenticate as the <b>Network Service</b> account or to create a user account that is managed within Active Directory Domain Services along with other user accounts.</p>
<div class="alert"><b>Note</b>    It is a good practice to limit privileges of this account to only those necessary to read files and copy them to c:\symstore.  This restriction prevents clients that access your HTTP store from corrupting the system.</div>
<div> </div>
<div class="alert"><b>Note</b>  Make sure the options presented here make sense in your environment. Different organizations have different security needs and requirements. Modify the process outlined here to support the security requirements of your organization.  </div>
<div> </div>
<h3><a id="authenticate_as_a_network_service"></a><a id="AUTHENTICATE_AS_A_NETWORK_SERVICE"></a>Authenticate as a Network Service</h3>
<p>The <b>Network Service</b> account is built in to Windows, so there is no extra step of creating a new account.  For this example, we name the computer where the symbol proxy server is being configured <i>SymMachineName</i> on a domain named <i>corp</i>.</p>
<p>External symbol stores or Internet proxies must be configured to allow this computer's <b>Network Service</b> account (Machine Account) to authenticate successfully.   There are two ways to achieve this:</p>
<ul>
<li>
<p>Allow access to the <b>Authenticated Users</b> group on the external store or Internet proxy.</p>
</li>
<li>
<p>Allow access to the Machine Account <i>corp\SymMachineName$</i>.  This option is more secure because it limits access to just the symbol proxy server's "Network Service" account.</p>
</li>
</ul>
<h3><a id="Authenticate_as_a_Domain_User"></a><a id="authenticate_as_a_domain_user"></a><a id="AUTHENTICATE_AS_A_DOMAIN_USER"></a>Authenticate as a Domain User</h3>
<p>For this example, we will presume the user account is named <i>SymProxyUser</i> on a domain called <i>corp</i>. </p>
<p class="proch"><img src="../common/wedge.gif" alt=""/><b>To add the user account to the IIS_USRS group
     </b></p>
<ol>
<li>
<p>From <b>Administrative Tools</b> open <b>Computer Management</b>.</p>
</li>
<li>
<p>Expand <b>Local Users and Groups</b>.</p>
</li>
<li>
<p>Click <b>Groups</b>.</p>
</li>
<li>
<p>Double-click <b>IIS_USRS</b> in the center pane and select <b>Properties</b>.</p>
</li>
<li>
<p>	Under the <b>Members </b>section, click <b>Add</b>.</p>
</li>
<li>
<p>Type <i>corp\SymProxyUser</i> in the pane labeled <b>Enter the object name to select</b>.</p>
</li>
<li>
<p>To exit the <b>Select Users, Computer, or Groups</b> dialog box, click <b>OK</b>.</p>
</li>
<li>
<p>To exit <b>IIS_USRS Properties</b>, click <b>OK</b>.</p>
</li>
<li>
<p>Close the <b>Computer Management</b> console.</p>
</li>
</ol>
<p></p>
<p class="proch"><img src="../common/wedge.gif" alt=""/><b>Set up IIS to use the account</b></p>
<ol>
<li>
<p>From <b>Administrative Tools</b> open <b>Internet Information Services (IIS) Manager</b>.</p>
</li>
<li>
<p>Expand <b>Web Sites</b>.</p>
</li>
<li>
<p>	Right click <b>Default Web Site</b> and choose <b>Properties</b>.</p>
</li>
<li>
<p>	Click the <b>Directory Security</b> tab.</p>
</li>
<li>
<p>	In the <b>Authentication and access control</b> section, click <b>Edit…</b>.</p>
</li>
<li>
<p>	Make sure that <i>Enable anonymous access</i> is checked.</p>
</li>
<li>
<p>	Enter the credentials of the account that has permissions to access the remote symbol server store(s) (“corp\SymProxyUser”) , then click <b>OK</b>.</p>
</li>
<li>
<p>	Re-enter the password when asked and click <b>OK</b>.</p>
</li>
<li>
<p>To exit <b>Default Web Site Properties</b>, click <b>OK</b>.</p>
</li>
<li>
<p>	You may be presented with the <i>Inheritance Overrides</i> dialog.  If so, select which virtual directories you want to have this apply to.</p>
</li>
</ol>
<h3><a id="authenticate_as_a_domain_user"></a><a id="AUTHENTICATE_AS_A_DOMAIN_USER"></a>Authenticate as a Domain User Using the IIS_WPG group</h3>
<p>For this example, the user account is named <i>SymProxyUser</i> on a domain named <i>corp</i>.  To authenticate this user account, it must be added to the <b>IIS_WPG</b> group.</p>
<p class="proch"><img src="../common/wedge.gif" alt=""/><b>To add the user account to the IIS_WPG group
     </b></p>
<ol>
<li>
<p>From <b>Administrative Tools</b> open <b>Computer Management</b>.</p>
</li>
<li>
<p>Expand <b>Local Users and Groups</b>.</p>
</li>
<li>
<p>Click <b>Groups</b>.</p>
</li>
<li>
<p>Double-click <b>IIS_WPG</b> in the right pane.</p>
</li>
<li>
<p>Click <b>Add</b>.</p>
</li>
<li>
<p>Type <i>corp\SymProxyUser</i> in the pane labeled <b>Enter the object name to select</b>.</p>
</li>
<li>
<p>To exit the <b>Select Users, Computer, or Groups</b> dialog box, click <b>OK</b>.</p>
</li>
<li>
<p>To exit <b>IIS_WPG Properties</b>, click <b>OK</b>.</p>
</li>
<li>
<p>Close the <b>Computer Management</b> console.</p></li></ol></div></div>	
	<div id="winchm_template_footer">Copyright &copy; 2019. All rights 
reserved. (To change the copyright info, just edit it in template.)</div>
</div>

</body>
</html>
